CVE-2008-1198

First published: Thu Feb 28 2008(Updated: )

Description of problem: The default IPSec ifup script (/etc/sysconfig/network-scripts/ifup-ipsec) initializes the racoon configuration to use aggressive IKE mode, then fallback to main IKE mode if that fails: ... remote $DST { exchange_mode aggressive, main; ... Due to widely known attacks, the aggressive mode should be only used when public key authentication is in use. In practice, most administrators use IPSec with PSK authentication, which combined with aggressive mode leads to aforementioned vulnerability. See this whitepaper for more information: <a href="http://www.netsc.ch/IMG/pdf/TargetingIKE_en.pdf">http://www.netsc.ch/IMG/pdf/TargetingIKE_en.pdf</a> The exchange_mode should be changed to "main" only or, for a low-security fallback, to "main, aggressive" (in the opposite order than currently).

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/author
• agent/references
• agent/severity
• agent/weakness
• agent/description
• agent/event
• agent/tags
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2008-1198
• vendor/redhat
• canonical/redhat enterprise linux
• version/redhat enterprise linux/5.0
• version/redhat enterprise linux/3.0
• version/redhat enterprise linux/4.0